3 min read

As per a recent report by Naked Security, Google is planning to remove XSS Auditor from its Chrome web browser which is its built-in function designed for detecting cross-site scripting (XSS) vulnerabilities. 

Usually, an attacker injects their own code onto a legitimate website while performing the XSS attack. The attackers either adds the malicious code to a legitimate URL or they post content to a site that stores and displays what they’ve posted (persistent XSS). And if someone looks at the code injected by the attacker it would execute a command in their browser which can then result in stealing the victim’s cookies for infecting them with a virus.

XSS Auditor uses a blocklist for identifying suspicious characters or HTML tags in request parameters and match them with content for spotting attackers that inject code into a page.

Some developers have an issue with it because according to them, it doesn’t catch all XSS vulnerabilities in a site. The XSS Auditor also doesn’t spot an XSS code called bypasses which is common online.

XSS Auditor has also been criticized a lot because attackers use XSS Auditors to disable the code on websites and is used for bypass techniques. Also, patching the XSS Auditor bypasses had brought issues in Chrome itself. 

Google’s engineers had adapted XSS Auditor for filtering out troublesome XSS code instead of blocking access but it seems it wasn’t enough so they finally thought of taking it off.

Last year, while discussing the plan to remove XSS Auditor, Google senior security engineer Eduardo Vela Nava said, “We haven’t found any evidence the XSSAuditor stops any XSS, and instead we have been experiencing difficulty explaining to developers at scale, why they should fix the bugs even when the browser says the attack was stopped. In the past 3 months we surveyed all internal XSS bugs that triggered the XSSAuditor and were able to find bypasses to all of them.”

In Google Groups discussion, Google security engineer Thomas Sepez said, “Bypasses abound. It prevents some legit sites from working. Once detected, there’s nothing good to do. It introduces cross-site info leaks. Fixing all the info leaks has proven difficult.”

Here, the question arises about how will the web developers check if their sites are buggy Without XSS Auditor.

A feature that could act as a replacement to XSS Auditor is in development, it is basically an application programming interface (API) known as Trusted Types. It also treats user input as untrustworthy by default and further forces developers to take steps to sanitise it before it could be included in a web page.

A user commented on HackerNews, “I’m working on the Trusted Types project in Google. To clarify, Trusted Types are not a replacement for XSS auditor. They are both related to XSS, but are fundamentally different and even target different flavors of XSS.” 

According to a few users, the XSS Auditor was not that useful. Another comment reads, “Whilst the XSS auditor was able to protect against quite a wide range of payloads for reflected vulns, I think it caused more harm than good.”

Read Next

Google Cloud and Nvidia Tesla set new AI training records with MLPerf benchmark results

Google’s language experts are listening to some recordings from its AI assistant

Google Project Zero reveals an iMessage bug that bricks iPhone causing repetitive crash and respawn operations